The Python Security Response Team (PSRT) has achieved a milestone by approving a public governance document (PEP 811) and onboarding its first new non-Release Manager member since 2023, the Python Software Foundation announced today. This reform aims to bolster the sustainability of security work for the Python programming language.
Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT under the new onboarding process. “This governance framework ensures we can scale security efforts without overburdening volunteers,” said Seth Larson, Security Developer-in-Residence at the PSF. “Adding Jacob is a great first step.”
Background
The PSRT is responsible for triaging and coordinating vulnerability reports for CPython, pip, and the broader ecosystem. Before PEP 811, the team operated without a public charter, making membership criteria opaque and creating sustainability risks.
PEP 811 now mandates a public member list, defined roles for admins and coordinators, and a formal onboarding and offboarding process. It also clarifies the PSRT’s relationship with the Python Steering Council. This reform was driven by Larson, whose role is sponsored by the Alpha-Omega Project. “Their support was essential for making this happen,” he said.
What This Means
With transparent governance, the PSRT can attract more contributors and distribute workload more evenly. The team published a record 16 advisories for CPython and pip last year alone, and frequently coordinates with other open-source projects—for instance, the recent PyPI ZIP archive differential attack mitigation.
“Involving subject-matter experts directly during remediation ensures fixes respect existing APIs and threat models,” Larson explained. “This minimizes disruption while maintaining long-term security.” New workflows are being developed to credit reporters and fixers in CVE and OSV records, recognizing their private contributions.
How to Join the PSRT
Membership is open beyond core developers. Any contributor can be nominated by an existing PSRT member, followed by a vote requiring at least two-thirds approval from current members. The process mirrors the Core Team nomination system. “We welcome diverse expertise,” Larson added.
The foundation expects additional members to join soon, further strengthening Python’s security posture. For details, see the full PEP 811 document.